Trusted intermediary for network layer claims-enabled access control

US 8,918,856 B2
Filed: 06/24/2010
Issued: 12/23/2014
Est. Priority Date: 06/24/2010
Status: Active Grant

First Claim

Patent Images

1. An apparatus for use in a system comprising a computer in communication via at least one network with a network resource, the at least one network employing a network layer security protocol, the apparatus comprising:

at least one processor coupled to a memory, the at least one processor programmed to;

(A) receive from the computer a request for access to the network resource and one or more requester claims describing attributes of one or more of the computer, a user of the computer, and a context in which access by the computer to the network resource is requested, the one or more requester claims being included in a communication formatted to comply with the network layer security protocol;

(B) in response to receiving from the computer the request for access to the network resource, request from a claims provider, on behalf of the network resource, one or more resource claims, the one or more resource claims describing attributes of one or more of the network resource, an organization to which the network resource is affiliated, an owner of the network resource, a stage of deployment of the network resource, and a sensitivity of the network resource;

(C) receive from the claims provider the one or more resource claims, the one or more resource claims being included in a communication formatted to comply with the network layer security protocol;

(D) request an access control policy decision whether to grant or deny access by the computer to the network resource, the request providing information included in the one or more requester claims and the one or more resource claims, the request being included in a communication formatted to comply with the network layer security protocol, the access control policy decision being based at least in part on the information and an access control policy that is dynamically generated;

(E) receive an access control policy decision indicating that access by the computer to the network resource is granted; and

(F) removing the one or more requester claims from the request before sending the request to the network resource in accordance with a second protocol.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention provide a trusted intermediary for use in a system in which access control decisions may be based at least in part on information provided in claims. The intermediary may request claims on behalf of a network resource to which access is requested, and submit the claims for a decision whether to grant or deny access. The decision may be based at least in part on one or more access control policies, which may be pre-set or dynamically generated. Because the intermediary requests the claims and submits the claims for an access control decision, the network resource (e.g., a server application) need not be configured to process claims information.

69 Citations

View as Search Results

17 Claims

1. An apparatus for use in a system comprising a computer in communication via at least one network with a network resource, the at least one network employing a network layer security protocol, the apparatus comprising:
- at least one processor coupled to a memory, the at least one processor programmed to;
  
  (A) receive from the computer a request for access to the network resource and one or more requester claims describing attributes of one or more of the computer, a user of the computer, and a context in which access by the computer to the network resource is requested, the one or more requester claims being included in a communication formatted to comply with the network layer security protocol;
  
  (B) in response to receiving from the computer the request for access to the network resource, request from a claims provider, on behalf of the network resource, one or more resource claims, the one or more resource claims describing attributes of one or more of the network resource, an organization to which the network resource is affiliated, an owner of the network resource, a stage of deployment of the network resource, and a sensitivity of the network resource;
  
  (C) receive from the claims provider the one or more resource claims, the one or more resource claims being included in a communication formatted to comply with the network layer security protocol;
  
  (D) request an access control policy decision whether to grant or deny access by the computer to the network resource, the request providing information included in the one or more requester claims and the one or more resource claims, the request being included in a communication formatted to comply with the network layer security protocol, the access control policy decision being based at least in part on the information and an access control policy that is dynamically generated;
  
  (E) receive an access control policy decision indicating that access by the computer to the network resource is granted; and
  
  (F) removing the one or more requester claims from the request before sending the request to the network resource in accordance with a second protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, wherein the at least one processor is further programmed to allow the apparatus to operate as a gateway between the computer and the network resource.
  - 3. The apparatus of claim 1, wherein the system comprises a plurality of claim providers, (B) comprises requesting the one or more resource claims from one or more of the plurality of claim providers, and (C) comprises receiving the one or more resource claims from the one or more of the plurality of claim providers.
  - 4. The apparatus of claim 1, wherein (A) comprises receiving the one or more requester claims embedded within a communication from the computer, and wherein the at least one processor is further programmed to extract the requester claims from the communication.
  - 5. The apparatus of claim 1, wherein the apparatus comprises a computer, and wherein the network resource resides on the computer.
  - 6. The apparatus of claim 1, wherein the access control policy decision is further based at least in part on an access control policy that is dynamically generated in response to receipt of the request for an access control policy decision.
  - 7. The apparatus of claim 1, further comprising determining whether or not the one or more resource claims are valid.

8. A method for use in a system comprising a computer in communication via at least one network with a network resource, the at least one network employing a network layer security protocol, the method being performed in response to a request by the computer to access the network resource, the method comprising:
- (A) by a claims provider, receiving from the computer a request for one or more requester claims that describe attributes of one or more of the computer, a user of the computer, a context in which access by the computer to the network resource is requested, and a strength of connection between the computer and the network resource;
  
  (B) by the claims provider, providing the one or more requester claims to the computer, the one or more requester claims being included in a communication formatted to comply with the network layer security protocol, the one or more requested claims retrieved from a static claim repository and a dynamic claim store;
  
  (C) by the claims provider, receiving from an intermediary a request for one or more resource claims that describe attributes of one or more of the network resource, an organization to which the network resource is affiliated, an owner of the network resource, a stage of deployment of the network resource, and a sensitivity of the network resource, the request being sent on behalf of the network resource; and
  
  (D) by the claims provider, providing the one or more resource claims to the intermediary, the one or more resource claims being included in a communication formatted to comply with the network layer security protocol.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, further comprising:
    - (E) receiving a request for an access control policy decision, the request providing information included in the one or more requester claims and the one or more resource claims; and
      
      (F) issuing an access control policy decision based at least in part on the information received in (E) and an access control policy that is pre-set.
  - 10. The method of claim 9, wherein (E) comprises receiving the request for the access control policy decision from the network resource.
  - 11. The method of claim 8, wherein (A) comprises receiving the request at a plurality of claim providers.
  - 12. The method of claim 11, wherein (C) comprises receiving the request for one or more resource claims at the same plurality of claim providers at which the request for one or more requester claims is received in (A).
  - 13. The method of claim 8, wherein (A) comprises receiving the request from a client application executing on the computer.
  - 14. The method of claim 8, wherein the network layer security protocol is IPsec.

15. At least one computer-readable storage memory having instructions recorded thereon which, when executed by a computer, perform a method of requesting an access control policy decision, the method comprising:
- receiving, from a claims provider, at least one claim comprising information related to the computer;
  
  responsive to receiving a request from the computer for access to a network resource, requesting at least one claim comprising information related to the network resource from the claims provider; and
  
  (A) responsive to receiving the request from the computer for access to the network resource, issuing a request for a decision whether to grant or deny access by the computer to the network resource, the request comprising the information relating to the computer that describes attributes of one or more of the computer, a user of the computer, and a context in which access by the computer to the network resource is requested, and, the information related to the network resource that describes attributes of one or more of the network resource, an organization with which the network resource is affiliated, an owner of the network resource, a stage of deployment of the network resource, and a sensitivity of the network resource, the information relating to the computer being included in a communication formatted to comply with the network layer security protocol, the information relating to the network resource being included in a communication formatted to comply with the network layer security protocol;
  
  (B) receiving a decision to grant access by the computer to the network resource; and
  
  (C) removing the at least one claim comprising information related to the computer from the request before sending the request for access to the network resource.
- View Dependent Claims (16, 17)
- - 16. The at least one computer-readable storage memory of claim 15, wherein (A) comprises issuing, in response to receiving the at least one claim comprising the information related to the computer, a request that includes the at least one claim comprising the information related to the computer.
  - 17. The at least one computer-readable storage memory of claim 15, further comprising instructions comprising determining whether or not the one or more resource claims are valid.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Tor, Yair, Neystadt, Eugene (John), Schnell, Patrik, Ananiev, Oleg, Zavalkovsky, Arthur, Rose, Daniel
Primary Examiner(s)
Dinh, Minh
Assistant Examiner(s)
ALMEIDA, DEVIN E

Application Number

US12/822,745
Publication Number

US 20110321152A1
Time in Patent Office

1,643 Days
Field of Search

726/2, 726/11, 726/1, 726/5, 726/7, 726/9, 709/217, 709/218, 709/219, 709/150, 709/182, 713/168, 713/151
US Class Current

726/12
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/164 at the network layer

Trusted intermediary for network layer claims-enabled access control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

69 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted intermediary for network layer claims-enabled access control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links